Setting up SSL Certificates on JBoss

Preparing Keystore

(One-time activity to be done before obtaining signed certs from trusted authorities

  • Go to the keytool located in the bin directory of JDK installation
  • Execute the following command

keytool -v -genkeypair -alias <replace with alias name> -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -keypass <replace with key pass> -keystore keystore name>.keystore -storepass <replace with store pass> -storetype jks -validity 365 -dname “cn=<replace with website name> , ou=<replace with Organization Unit>, o=<replace with organization name>, l=<replace with City>, c=<replace with country code>

  • This command will generate a keystore with a keypair of JKS type of 2048 keysize and with a validity of 365 days (1 year)
  • Verify the content of keystore using the following command

 keytool -keystore -list

  • Once the keystore is ready, generate a CSR (Certificate Signing Request), this can be done using following command

keytool -certreq -keyalg RSA -alias <replace with alias name> -file <csr file name> -keystore <keystore file name for which csr is generated>

  • After generating the CSR, send it to your CA to get the public SSL cert.

Installing Public SSL cert reply into the Keystore

  • Public SSL cert will have the following format (typically) <CN name>.crt , example.
  •  Execute the following command on the keystore to install the certificate reply.

 NOTE: Remember to import CA signed cert with the same alias as you generated keypair with and add -trustcacerts option as well, otherwise, it will not be imported properly and server will always return the self-signed cert using private key from keystore.

keytool -importcert -keystore <keystore name> -storepass <keystore pass> -file ssl cert received from CA>

keytool -importcert -keystore <keystore name> -storepass <keystore pass> -file ssl cert received from CA> -alias keystore> -trustcacerts

  •  After executing the second command, you should get the message like

“Certificate reply was installed in keystore” 

  •  Verify the content of keystore using the following command

 keytool -keystore <keystore name> -list

Preparing Truststore

  • Truststore should contain all the ROOT and Intermedia CA certs from both the parties in the case of Mutual Authentication.
  • Create Truststore using the following command and add relevant certs using the following command

keytool -importcert -keystore trusstore> -storetype jks -storepass <trusstore password> -alias <alias for cert getting imported> -file <cert file name>

  •  Verify the content of truststore using the following command

keytool -keystore <truststore name> -list

 JBOSS Setup

  • Copy the ready keystore and truststore files and paste them in the conf directory of the JBoss server getting used. Example


  • Go to the below location and open server.xml


  • Change the server.xml to have only following entry for connectors (comment any other connector entry in server tags, other than the ones shown below)

<Connector protocol=”HTTP/1.1″ port=”8080″ address=”${jboss.bind.address}” connectionTimeout=”20000″ redirectPort=”8443″ />

<Connector protocol=”org.apache.coyote.http11.Http11Protocol” SSLEnabled=”true” port=”443″ address=”${jboss.bind.address}” scheme=”https” secure=”true” clientAuth=”false” keystoreFile=”${jboss.server.home.dir}/conf/keystore name>.keystore” keystorePass=”keystore pass> ” sslProtocol=”TLS” />

  • Go to run.conf.bat at following location /jboss-as/bin to provide truststore location to the JBOSS when it starts. Add following JAVA_OPTS

set “JAVA_OPTS=%JAVA_OPTS%,handshake<truststore_location>/<truststore name>.truststore<truststore password>

 PS: you can remove,handshake, to disable SSL debugging.